Fine-grained DBus sandboxing #3265
Conversation
|
I have been using this for a couple of days with local profiles and it seems to work fine. For example, Lets Spotify display notifications and be controller over MPRIS. However, the situation is not as rosy with e.g. Electron based apps. They need a rather permissive because they need to own names in the form I also tried to use desktop portals with and |
Hm, I knew about those tray icon issues for qt apps but electron apps (which are more gtk than qt) in flatpak are able to show tray icon with just The /tmp issue may be fixed with
Installing xdg-desktop-portal & xdg-desktop-portal-{gtk,kde} and enabling systemd user services (if they aren't already): should be sufficient. Did you tested apps that actually support portals? AFAIK chromium/electron doesn't. Note that for Qt apps you need to use |
I tried that, but it failed to display an icon & complained about not owning the well-known name for the icon. Maybe because I am trying to run Wavebox 10, which is not "really" an Electron app (more like a forked Chromium, with some Electron bits).
Thanks for these pointers!
Oh that's a pity. |
There was a problem hiding this comment.
- manpage: example filter
- For what is dbus-* allow? Not using dbus-* at all will also allow D-Bus access.
- just noting: nodbus vs. dbus-* allow: the later will win
- future of
HAS_NODBUS?
meld, rhytmbox, gnome-maps, gfeeds
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile
index d332c1bb..b68fd864 100644
--- a/etc/gfeeds.profile
+++ b/etc/gfeeds.profile
@@ -37,7 +37,6 @@ caps.drop all
machine-id
netfilter
no3d
-#nodbus
nodvd
nogroups
nonewprivs
@@ -57,3 +56,8 @@ private-bin gfeeds,python3*
private-dev
private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
private-tmp
+
+dbus-user filter
+dbus-user.own org.gabmus.gfeeds
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 62350b86..2abef929 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -62,3 +62,16 @@ private-bin gjs,gnome-maps
private-dev
private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Maps
+dbus-user.talk org.gnome.OnlineAccounts
+dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
+dbus-user.talk org.gnome.evolution.dataserver.Calendar7
+dbus-user.talk org.gnome.evolution.dataserver.Sources5
+dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk ca.desrt.dconf
+dbus-system filter
+dbus-system.talk org.freedesktop.NetworkManager
+dbus-system.talk org.freedesktop.GeoClue2
diff --git a/etc/meld.profile b/etc/meld.profile
index 9a320c13..1e37ff9c 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -69,4 +69,9 @@ private-dev
#private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
private-tmp
+dbus-user filter
+dbus-user.own org.gnome.meld
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
read-only ${HOME}/.ssh
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index ad8b1015..0f70b4e3 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -31,7 +31,6 @@ include whitelist-var-common.inc
# apparmor - makes settings immutable
caps.drop all
netfilter
-# nodbus - makes settings immutable
nogroups
nonewprivs
noroot
@@ -46,3 +45,15 @@ tracelog
private-bin rhythmbox,rhythmbox-client
private-dev
private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Rhythmbox3
+dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
+dbus-user.own org.mpris.MediaPlayer2.rhythmbox
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
+dbus-user.talk org.gtk.vfs
+dbus-user.talk org.gtk.vfs.*
+dbus-system filter
+dbus-system.talk org.freedesktop.AvahiEDIT: add gfeeds
Thanks, good catch!
It seemed to be the logical thing to do. On the other hand, maybe only
One way to fix this would be to force the policies to the always strengthened by subsequent profile entries, i.e.,
Logically, a sandbox with blocked DBus |
|
More conditions? Sure. I mean what will/should be the behaviour for e.g. |
|
That's a good question. Searching through the firejail repo in order to find uses of ?HAS_NODBUS that are hopefully similar to uses in other profiles in the wild, I could basically find two:
To sum up, setting ?HAS_NODBUS if any DBus filtering or blocking is in effect is safe for profiles which use it for optionally tightening the sandbox, while does not degrade profiles that use it to apply workarounds. Profiles of the latter kind could be eventually updated to use fine-grained filters to avoid the regressions in the first place. |
kris7t
force-pushed
the
dbus-proxy
branch
2 times, most recently
from
53540a6
to
c7b0396
Compare
|
Naive question: Would it be possible to run the proxy early as a child of the sandbox process? EDIT: There is actually not much of a difference, but running it inside all of the sandbox namespaces maybe could add a bit extra peace of mind. |
Or maybe that's not a good idea. If it runs in the same pid namespace, it can be vulnerable to attacks with ptrace, which the current design avoids. |
|
I was originally trying to run the proxy inside the sandbox, but I had to realize that
We could create a "nesting doll" construction, where a essentially an "outer" set of namespaces isolates the sandbox from the rest of the world, and an "inner" set of namespaces isolates the program being sandboxed from the sandbox implementation. The "outer" container would be a nice place to run not only xdg-dbus-proxy, but also stuff like Xephyr. On the other hand, this would be a significant architectural change that nets relatively little security improvement. |
|
I revised the options
I am still not entirely satisfied by this design: to relax a profile from filtering to DBus allowed in a |
|
Thanks for this work - this is exactly what I've been looking for! One note - some systemd based systems use a different path for the user dbus socket: /run/user/%d/dbus/user_bus_socket. These should have the correct path set in the DBUS_SESSION_BUS_ADDRESS env var. Perhaps this should be checked first, then if it's not set fallback to /run/user/%d/bus. |
|
@rusty-snake @glitsj16 What do you think about the interface for profiles? With the changes (#3265 (comment)) it is hopefully a bit harder to misuse, and compatibility with |
|
@rusty-snake Currently, firejail will
to profiles that currently does not have However, 3 hints at the suboptimality of the current filter rule design: if e.g.). |
|
@kris7t Just a FYI, I'm following the work you have been doing here without explicitly participating in the discussion. As @rusty-snake is on to it, we should be fine to adjust profiles when this gets merged. Very much appreciated! |
|
Apologies for coming back, just one more idea: Would it make sense to run dbus_proxy_start with dropped privileges and then start the proxy in its own Firejail sandbox? |
|
@smitsohu Yeah, I was thinking about that, since the proxy only needs access to One compilcation is the handling of the file descriptors, though. Perhaps we could add a general-purpose On the other hand, |
You're right, I didn't think of that. The benefits of a full sandbox would be limited. |
|
@kris7t I'm with @glitsj16 once this is in master the profile can be modified. As a follow-up: xdg-dbus-proxys --log argument. It logs all the dbus-traffic to stdout (needs to be redirected). Either as --dbus-log (just a simple (maybe raw) log) or better as |
|
@kris7t can you rebase. |
Allow setting a separate policy for the user and system buses. For now, the filter policy is equivalent to the none (block) policy. Future commits will add more configuration options and filters.
To contain processes forked for long time, such as the xdg-dbus-proxy, sbox_exec_v can be used, which is the non-forking version of sbox_run_v. Additionally, the SBOX_KEEPS_FDS flag avoid closing any open fds, so fds needed by the subordinate process can be left open before calling sbox_exec_v. This flag does not makes sense for sbox_run_v, and causes an assertion failure.
* The proxy is forked off outside the sandbox namespace to protect the fds of the original buses from the sandboxed process. * The /run/firejail/dbus directory (with the sticky bit set) holds the proxy sockets. The sockets are <parent pid>-user and <parent pid>-system for the user and system buses, respectively. Each socket is owned by the sandbox user. * The sockets are bind-mounted over their expected locations and the /run/firejail/dbus directory is subsequently hidden from the sandbox. * Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets are cleaned up. * Filter rules will be added in a future commit.
The options --dbus-user.talk, --dbus-user.own, --dbus-system.talk, and --dbus-system.own control which names can be accessed and owned on the user and system buses.
To avoid race conditions, the proxy sockets from /run/firejail/dbus/ are bind-mounted to /run/firejail/mnt/dbus/, which is controlled by root. Instead of relying on the default locations of the DBus sockets, the environment variables DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS are set accordingly. User sockets are tried in the following order when starting the proxy: * DBUS_SESSION_BUS_ADDRES * /run/user/<pid>/bus * /run/user/<pid>/dbus/user_bus_socket These are all blocked (including DBUS_SESSION_BUS_ADDRESS if it points at a socket in the filesystem) when the filtering or blocking policy is active. System sockets are tried in the following order: * DBUS_SYSTEM_BUS_ADDRESS * /run/dbus/system_bus_socket These are all blocked (including DBUS_SYSTEM_BUS_ADDRESS if it points at a socket in the filesystem) when the filtering or blocking policy is active.
This patch also allows setting the DBus policies to filter even if xdg-dbus-proxy is not installed. In that case, unrestricted access to the bus is allowed, but a warning is emitted.
|
@rusty-snake done. |
|
Big thanks to everyone for the reviews and comments! As a next step, I'll work on adding DBus logging (#3265 (comment)) to help profile creation. |
Reset the bold right after each command/argument.
Command used to check for issues:
git grep -E ' \\fR' -- src/man/*.in
Related commits:
* e91b9ff ("Deprecate --nodbus option", 2020-04-07) /
PR netblue30#3265
* 5a61202 ("rename noautopulse to keep-config-pulse", 2021-05-13) /
PR netblue30#4278
* d79547c ("docs: warn about limitations of landlock", 2024-03-31) /
PR netblue30#6302
This is a follow-up to netblue30#6451.
Relates to netblue30#6078.
Reset the bold right after each command/argument.
Command used to check for issues:
git grep -E ' \\fR' -- src/man/*.in
Related commits:
* e91b9ff ("Deprecate --nodbus option", 2020-04-07) /
PR #3265
* 5a61202 ("rename noautopulse to keep-config-pulse", 2021-05-13) /
PR #4278
* d79547c ("docs: warn about limitations of landlock", 2024-03-31) /
PR #6302
This is a follow-up to #6451.
Relates to #6078.
This PR adds the
dbus-useranddbus-systemoptions to individually control access to the session and system DBus buses, as per #3184. Access policies to the buses can beallow, which completely allows the bus,filter, which runsxdg-dbus-proxy, andnone, which disables access. Thenodbusoptions, which is equivalent todbus-user nonedbus-system noneis kept for compatibility.Filter rules for
xdg-dbus-proxycan be specified with thedbus-user.talk,dbus-user.own,dbus-system.talk, anddbus-system.ownoptions. Whilexdg-dbus-proxyimplements finer-grained rules, these four should hopefully be enough to convert filter rules from Flatpak manifests.On the implementation side:
blacklistandwhitelistcommands.xdg-dbus-proxyruns outside the sandbox namespace (to maintain access to the original DBus sockets), but contained by a modified version ofsbox_run. It is linked to the parent firejail process by a pipe fd, closing which triggers its exit, so it (hopefully) quits when the parent firejail process exits for any reason./run/firejail/dbusand are bind-mounted to their usual locations inside the sandbox. Even the system DBus socket is owned the user running the sandbox, not root, because if wechownit to root, xdg-dbus-proxy cannot clean them up when it exits (an the parent firejail process might not be around to clean the up instead). So inside the sandbox, the system DBus socket is owned by a normal user. This does not cause any problems when connecting to the bus, but might be used to detect the sandbox.This PR does not contain any profile changes, so all profiles remain to constrain DBus access in a coarse-grained way. Hopefully, in the future, profiles can be updated to take advantage of DBus filtering, but that might require a hard dependency on xdg-dbus-proxy, or some auto-detection mechanism.